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DEFENSE INTELLIGENCE AGENCY 

WASHINGTON, D C. 20301 
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5 JUN 12G5 


MEMORANDUM FOR THE ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL, 
COMMUNICATIONS AND INTELLIGENCE) 

SUBJECT: The Director of Central Intelligence SAFEGUARDS Supplement to 

DCID 1/16 (U) 

Reference: ASD/C3I Memorandum dated 10 May 1985, Subject: Defense Central 

Intelligence Memorandum NFIC-9.11/1, dated 22 January 1985. 

1* As you are aware, the SAFEGUARDS were developed under the DCI COMPUSEC 
program to evaluate the vulnerabilities of thirteen Critical Systems, seven of 
which are under my cognizance as the approving authority. DIA has evaluated 
the seven Critical Systems using the SAFEGUARDS as a guideline and has found 
them to be useful In docmnentlng system vulnerabilities. 


2. (U) It Is our view that the documents are aimed at different purposes. 

The DoD CRITERIA are aimed at describing to vendors and system acquisition 
authorities the features necessary to achieve certifiable levels of security 
In the automated system, while the SAFEGUARDS are Intended as Interim 
guidelines for accreditation of operational Intelligence systems and In 
particular the Critical Systems, processing SCI, Identified by the DCI. Both 
docunents can be further enhanced to address technical discrepancies but 
should not be viewed as Incompatible even though there are some technical 
Inconsistencies. 


J: I?L,!?.J£ ques !??. 1n your DIA has compared the CRITERIA with 

the SAFEGUARDS, and has assessed the Impact of their Implementation within the 
DoD for systems for which I am the accreditation authority. The general 
drawn frora that asse ssment are: first, the SAFEGUARDS and the 
CRITERIA are not consistent In the area of assurance, and In Implementation 
Pj)Jl®sophy; second, the SAFEGUARDS, as an accreditation docunent, and the 
CRITERIA, as a certification docunent, could be used together to achieve a 
continuous program of enhanced ADP security as technology evolves. The 
technical assessment Is at the enclosure. 


4. (U) To achieve an orderly transition of systems to a more secure base, I 
recommend we establish a group to develop a common set of security criteria 
the process. For that purpose, I fully support the 28 January 

1985 Secretary of Defense direction to DIRNSA to establish a working group to 
»ln 0P * connK>n set of securit y criteria for use by all Designated Approving 

AUvnori n • 


1 Enclosure a/s 


25X1 


Acting Director 
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DIA ASSESSMENT 


1. The referenced memorandum requests that DIA review the DCI SAFEGUARDS 
document for consistency with the DoD Computer Security Evaluation Center's 
Criteria (a.k.a. The CRITERIA), and for impact of Implementation of the 
SAFEGUARDS within the DoD. The version of the SAFEGUARDS being used Is 
dated December 1984, of the CRITERIA, August 1983. 

Consi stency 

2. Comparing the preface of the CRITERIA with the foreword of the 
SAFEGUARDS one notes a difference in Intent between the documents. In 
particular, the SAFEGUARDS are Intended to apply to some 13 operational 

Critical Systems" as an Interim accreditation measure to Improve the security 
posture of those particular systems. These Critical Systems were designed, 
developed, and implemented prior to the existence of the CRITERIA. The 
CRITERIA Is Intended to describe to vendors and acquisition personnel the security 
features deemed necessary In order to achieve Identifiable and certifiable levels of 
security protection. In respect to Intent the documents are Incomparable rather 
than inconsistent. 


3. On the other hand, both documents address specific feature requirements for 
system security. It would seem desirable that these features, which must clearly 
differ In implementation, should be stated consistently. In this regard both the 
DoD and the PCI are Indeed fortunate In that the primary author of the CRITERIA 
Dls also a primary author of the SAFEGUARDS, and that under her 
guidance the features for the compartmented mode In the SAFEGUARDS were 
chosen to match the B2 level of the CRITERIA, thus making comparison for 
consistency feasible. 

Comparison of Class B2 with the Compartmented Mode 
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4. Assurance. The Implementation of features will differ because of the 
difference In Intent between the CRITERIA and the SAFEGUARDS. In particular 
the way In which assurance Is achieved Is different. Assurance Is a combination of 
trust In procedure and personnel, and of trust In the correctness of automation. 

The CRITERIA places more assurance requirements against the correctness of 
automation of features and less against the people and environment, whereas the 
SAFEGUARDS places less assurance requirements against the correctness of 
automation and more against people and environment. This tradeoff Is a 
reasonable course of action for the SAFEGUARDS In order that It might 
accomplish the objective of dealing with currently operational critical systems. 
Thus the assurance features of the CRITERIA and the SAFEGUARDS could be 
called consistent In net effect. 


5. Discretionary Access Control. A difference exists In that the CRITERIA allows 
granting of discretionary access permission to an arbitrary user by some other 
arbitrary user, whereas the SAFEGUARDS allow only a cognizant authority to 
extend access permissions against classified Information. 


Enclosure to C-10.048/RSE 
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It Is Interesting that D on onHrv fn»n *?nn DCI po 11cy (DCID 1/16)> #nd 


Cojtrol permission of the all match more closely the 

SAFEGUARDS version of Discretionary Access Control than the version given in 
the CRITERIA. The SAFEGUARDS and the CRITERIA are Inconsistent, with the 
SAFEGUARDS apparently offering the more secure approach. 
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6 - Mandatory Access Control . The CRITERIA and the SAFEGUARDS use different 
words in the statement of this requirement. Both statements Imply a no write 
down property and both permit arbitrary creation and classification of data. 


DIA has noted the provision for arbitrary creation and classification of data In 
both documents as It transgresses the requirement for a classification authority to 
determine the classification of data. 


7. Object Reuse, Audit, and Trusted Path . These requirements are basically 
consT stent. 


f- Authentication. Here there Is a major Inconsistency as the 

CRITlkia requires protection of authentication Information, while the 
SAFEGUARDS do not. The CRITERIA has the correct requirement as unprotected 
Information of this sort poses a security vulnerability. 


?• Labels, Syst em Architecture, System Integrity . These features are addressed by 

both documents out their statements are not comparable. The lack of 
comparability arises out of the difference In Intent between the documents. While 
the CRITERIA cells for a great deal of robustness In these features, the 
SAFEGUARDS recognizes the lack of feasibility of Implementation of such 
robustness In existing (older) systems without recourse to system replacement. 


JO. Trusted Facility Management, Trusted Recovery, and Environmental an d 
Aomlnl strati ye Protections . Tnese requirements are not comparable between the 
documents . in general , the CRITERIA places less of its assurance In these non- 
automated functions than does the SAFEGUARDS. 


11 • Toting, and Design Specification and Verification . These criteria are 
Incomparable Detween tne documents, in general, the CRITERIA places more of Its 
assurance In these automated functions than does the SAFEGUARDS. 


If- Covert Channel Analysis . This assurance requirement Is not addressed In the 
SAFEGUARDS out is addressed In the CRITERIA. There Is a significant 
technological problem involved In performing such an analysis on a critical system 
due to the lack of structure inherent In Its operating system. At the B2 level, and 
above, of the CRITERIA, such an analysis Is made feasible because of the Intense 
structuring of the operating system. Such structuring is not Inherent In the Critical 
Systems. 


- 1 ?* l Ti? sted D * stHbut 1on Is not addressed In the CRITERIA at the B2 level . The 
CRITtKiA Places similar assurances In automated elements of the system rather 
than In this administrative element. 
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Impact 

14. The impact on DIA mission of Implementation of the SAFEGUARDS would be 

In the area of resource expenditure and ability to respond to operational security 
problems of the Critical Systems. DIA has found that the SAFEGUARDS do not 
address several of the vulnerabilities which have been Identified in WCritical 
Systems. Therefore, It Is our conclusion that while Improvement of the security 
5!* e "C rlt 'f ca 1 Systems" will be achieved through Implementation of the 
SAFEGUARDS (Increased auditing, stronger user Identification, Increased labeling 
responsibility, etc.), some of the real operational vulnerabilities of these systems 
will be Incompletely and Inadequately addressed (uncontrolled asynchronous 
Interfaces, data Integrity, channel reliability, etc.) 

15. DIA has not concurred with Implementation of the SAFEGUARDS as large 
resource expenditures would be required In order to comply with It, and those 
resources have not been available. DIA cannot fully Implement the SAFEGUARDS 
until the resources required to comply with them are made available. DIA has, 
within resources available. Identified the highest priority vulnerabilities In Its 
Critical Systems and Is attempting to correct them. 

Conclusion and Recommendation 


b e H© v ©$ that the SAFEGUARDS, as an accreditation document, and the 
CRITERIA, as a certification document, are each of value, and that, with great 
care, they could be used together to achieve a continuous transitional program of 
enhanced ADP security for the Intelligence Community and the DoD. For this 
reason, the DIA staff recommends that a carefully conceived uniform accreditation 
policy be developed for use by all Designated Approving Authorities. Such a policy 
should Incorporate the excellent Ideas represented In the CRITERIA and In the 
SAFEGUARDS. 
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